In this session, we will go through ISO/IEC 27701 and ISO/IEC 27001 key practical implementation steps and how they can help you to be compliant with the GDPR. Our presenters, Peter Geelen and Stefan Mathuvis, will guide you through the implementer tasks with practical hints and tips and show you how an auditor will look at your implementation, searching for evidence and compliance. In addition, we will match the ISO/IEC 27(7)01 requirements to complete the GDPR obligations as far as possible. Starting from executive management to privacy policies, handling notifications, setting up awareness programs, controlling user access requests, over vendor management to incident management (data breaches) and continuous updates. The webinar will cover: • Quick recap on general ISO components and approach • Implementing ISO/IEC 27001 with the ISO/IEC 27701 extension for GDPR compliance • Do's and don’ts for implementation and audit • The importance of evidence in the audit • Managing audit expectations and the never ending audit cycle Recorded webinar: https://youtu.be/HL-VUiCj4Ew

2. • Introduction
• Before we start…
• ISO27001 implementation vs audit
• ISMS vs PIMS, in practice
• The implementer view
• The auditor view
• Q & A
Agenda

3. Introduction

4. Peter Geelen (CyberMinute)
• 20+ years experience in security
• Enterprise Security & IAM
• Cybersecurity
• Data Protection & Privacy
• Incident management, Disaster Recovery
• Trainer, coach, auditor
• ISO27001 Master & Lead ISO27002
• ISO27701 Lead Impl. & Lead Auditor
• Certified DPO & Fellow In Privacy
• Lead Incident Mgr & Disaster Recovery
• ISO27032 Sr. Lead Cybersecurity Mgr
• Lead ISO27005 (Risk Mgmt)
• Accredited ISO27001/9001
Lead auditor
• Accredited Security Trainer
My experience Certification Accreditation
http://www.cyberminute.com
https://ffwd2.me/pgeelen
More info (LinkedIn):
peter@cyberminute.com

5. Stefan Mathuvis (QMA)
• 20 years experience in security
• Quality Management
• Quality Auditor
• Cybersecurity
• Security, Data Protection & Privacy
• Trainer, coach, auditor
• ISO27001 Lead Auditor
• ISO9001 Lead Auditor
• Lead auditor ESD & GDP Pharma
• Lead auditor GQS
• CDPO
• Master trainer DGQ
• Accredited ISO27001 lead
auditor
• Accredited 9001 Lead
auditor
My experience Certification Accreditation
http://www.qma.be
https://ffwd2.me/stefan
More info (LinkedIn):
Stefan@qma.be

6. Before we start…
Previous session recap

7. • Quick Guide to ISO/IEC 27701-The Newest Privacy Information Standard
• PECB: https://pecb.com/past-webinars/quick-guide-to-isoiec-27701-the-newest-
privacy-information-standard
• Recording: https://youtu.be/ilw4UmMSlU4
• Slideshare: https://www.slideshare.net/PECBCERTIFICATION/quick-guide-to-
isoiec-27701-the-newest-privacy-information-standard
• ISO/IEC 27701 vs GDPR - What you need to know
• PECB: https://pecb.com/past-webinars/isoiec-27701-vs-gdpr-what-you-need-to-
know
• Recording: https://www.youtube.com/watch?v=P80So3ryvJ8
• Slideshare: https://www.slideshare.net/PECBCERTIFICATION/isoiec-27701-vs-
gdpr-what-you-need-to-know
For other webinars, see: https://pecb.com/en/webinars
Recap: Previous sessions

8. • Remember ISO27001
• ISMS, Information Security (Management System)
• 10 Clauses
• 114 controls
• Based on PDCA
Recap: ISO27001 structure

9. Act Plan
DoCheck
ISO27001 main principle: PDCA
Time
Quality
Improvement
Quality
Assurance
Standard
Quality
Assurance
StandardAct Plan
DoCheck

10. Source: ISO9001-2015
Did you know…

11. Source: PECB ISO27001 Lead Implementer
PDCA in ISO27001
clause 6
Planning
clause 9
Performance
evaluation
clause 10
Improvement
clause 8
Operation
Clause 4
Context of the organization
Clause 7
Support
Clause 5
Leadership
Annex A - Control objectives and controls

12. Extension to ISO27001 (ISMS)
• Information security Management system
• + Extension to privacy
• + interpretation for GDPR
= PIMS
(Privacy Information Management system)
ISO27701 (PIMS)

13. Naming convention
To avoid any confusion:
• ISMS refers to ISO27001
• PIMS refers to ISO27701 (on top of ISO27001)
For this session…

14. ISMS implementation vs audit
Opposite or complementary?

15. Officially starts with external audit but….
• You can use the audit techniques during initial implementation
• Implement pre-stage audit
• Internal audit is needed (official requirement)
• System must have sufficient track record before initial audit
After initial audit
• Yearly surveillance
• 3 year cycle to renewal
• Continuous maintenance (also for internal audit)
• Continuous improvement
The ISO audit lifecycle…

16. Initial audit
• “Get in control”
• Passing the mark
• Basic maturity (ref. CMMI … level 3)
• Room for growth and maturity
Surveillance audit (+ recertification)
• “Stay in control”
• Focus on improvement
• Increasing maturity
• Based on metrics and measurement…
The ISO audit lifecycle…

17. Starts long before the external audit
• To use the audit techniques during initial
• Pre-stage audit
• Internal audit needed (official requirement)
Doesn’t stop after initial external audit
• Maintenance
The implementation lifecycle…

18. When starting in ISMS implementation
• It takes time to adapt business processes to ISO approach
• Focus on evidence..
• Not only documentation,
• but also operational results that can be tracked
• People that know how ISMS plugs in to their work
Audit
• Not just a check list, but focus on results
• Based on evidence (double evidence)
• Advisory function (but not consulting)
Hints and tips

19. ISMS to PIMS, in practice.
Getting the mind shift right…

20. When shifting from ISMS to PIMS
• It’s no more about “enterprise only” data
• It’s ALSO about “personal data’
• On top of it…
Meaning, you’re in the lead with enterprise data, in ISMS.
The subject is in the lead when handling personal data… in PIMS
(Strong legislation giving power to subject.)
Fundamental change in approach

21. ISMS
Fundamental change in mindset & environment
ISMS ISMS
PIMS

22. The implementer/audit view of PIMS
Recap from previous sessions.

23. Auditor vs implementer
• If you know how the audit works, you know better what to
implement
• Both in the right spirit
• Results based,
• not check list based
• Growth mindset
• Not perfect at first step
• Better done than perfect
• Think big, act small…
Why is this important?

24. • The audit cycle pushes the implementation of PDCA
• Continuous improvement
• Step by step
• Have an independent / external view
• Keep the helicopter view, with good relation between
• Business
• IT
• DPO
• Legal
The auditor view helps to…

25. • Include audit considerations from the start
• Involve audit throughout the project
• Internal audit vs external audit
• External audit
• mostly end stage (before you restart the cycle)
• Certification target
• Internal audit
• Separate department
• Why not cross check? (cross-department)
• External auditor (but still under authority of data controller)
Some practical hints

26. • Look at the external auditor as advisor
• Not a checklist dummy
• [NOT consultant ;) ]
• Find the right auditor for you, YOU choose
• Experience, expertise
• Right mindset (continuous improvement)
• Focus on getting results
• CMMI: 1… 2… 3… 4… 5…
Some practical hints

27. Recap: ISO27701 mapping to ISO27001
4.3 ISO27001 requirements (ISO27701 Clause 5)
ISO27701 Topic ISO27001 Remark
5.2 Context of organisation 4 Changed
5.3 Leadership 5 Direct
5.4 Planning 6 Changed
5.5 Support 7 Direct
5.6 Operation 8 Direct
5.7 Performance evaluation 9 Direct
5.8 Improvement 10 Direct

28. Recap: ISO27701 mapping to ISO27001
4.3 ISO27002 requirements (ISO27701 Clause 6)
ISO27701 Topic ISO27002 Remark
6.2 Policies 5 Changed
6.3 Organisation 6 Changed
6.4 HR 7 Changed
6.5 Asset Management 8 Changed
6.6 Access Control 9 Changed
6.7 Cryptography 10 Changed
6.8 Physical and environment 11 Changed

29. Recap: ISO27701 mapping to ISO27001
4.3 ISO27002 requirements (ISO27701 Clause 6)
ISO27701 Topic ISO27002 Remark
6.9 Operations 12 Changed
6.10 Communications 13 Changed
6.11 Acquisition, Dev & mainten. 14 Changed
6.12 Suppliers 15 Changed
6.13 Incident Mgmt 16 Changed
6.14 Business Continuity 17 Direct
6.15 Compliance 18 Changed

30. The implementer view of ISO27701
Quick tour: special attention

31. Interested parties
• ISMS: Mainly enterprise, contractual, customers, … bit of employee
• PIMS: strong focus on subject data, in any type
Different approach
• High impact regulation
• Worldwide
• Very powerful individual
• Define goal, vision, mission & strategy
• Documentation!
PIMS 5.2 / ISMS 4 (Context) Implementer

32. Interested parties
• ISMS: vision, commitment, policy, RACI,
• PIMS: accountability (ref. GDPR)
Make sure to
• Organize regular management meetings
• Plan agenda, take notes, …
• Register Decisions taken
• Plan Communication, incl. all interested parties (incl. external)
• Make sure mgmt. takes responsibility.
• Make them accountable, …
PIMS 5.3 / ISMS 5 (Leadership) Implementer

33. EXTREMELY IMPORTANT
• ISMS: risk management is CORE requirement
• PIMS: PIA, DPIA (GDPR)
You must
• Have a risk register
• Setup Risk management system (not the software, but the process)
• Maintain risk management
HINT: how to assess risk in EXISTING environment?
(New processes, update of existing processes and regular basis)
PIMS 5.4 / ISMS 6 (Planning) Implementer

34. ISMS = PIMS, you must have
• resources
• Competence
• Awareness, communication & education
• Documentation
You need
• Budget
• People
• Time
PIMS 5.5 / ISMS 7 (Support) Implementer

35. PIMS 5.6/5.7/5.8 = ISMS 8/9/10
• Operations
• Performance
• Improvement
You need
• Operations: Info security / Data protection / Privacy in your DNA
• Performance: plan for metrics and measure (CMMI 4)
• Improvement: CONTINUOUSLY
Other clauses Implementer

36. Policies
• ISMS ISO27002 (114 controls + …)
• PIMS ISO27002 + ISO27701
• ISMS prefix “A” = ISO27002
• Measures
• Controls
• For security we need PPT = people, process & technology
PIMS 6 / ISMS Annex

37. Policies
• ISMS ISO27002 (114 controls + …)
• PIMS ISO27002 + ISO27002 ;..
Tasks
• Setup policies / documentation
• Approve policies
• Execute policies
• Update policies on a regular basis
PIMS 6.2 / ISMS A5 Implementer

38. ISMS PIMS Serving
Management Team idem Enterprise
Risk Management Team idem Enterprise
Info Sec team idem Enterprise
IT operations team idem Enterprise
Business idem Enterprise
Legal support idem Enterprise
/ DPO or similar Subject
PIMS 6.3 / ISMS A6 (IS Org.) Implementer

39. Info
• PIMS: privacy & data protection in
• contracting
• awareness.
Special attention to
• Reference of data protection in contracting
• People are lazy (maintain awareness)
• Training
IMPORTANT: everyone must be onboard to protect personal data!
PIMS 6.4 / ISMS A7 (HR) General

40. Make sure to implement
• Asset inventory / CMDB
• Not only HW
• Also processes
• People & knowledge
Special attention to
• Classification
PIMS 6.5 / ISMS A8 (Asset Mgmt) Implementer

41. ISMS labels categ. PIMS lables Serving
0 - Public Non PII/GDPR Enterprise
1 – Internal Enterprise
2 - Strict internal Enterprise
3 - Critical Enterprise
(4 – Secret) Enterprise
PII Subject
Sensitive PII Subject
PIMS 6.5 / ISMS A8 (Asset Mgmt) Implementer

42. Must have
• Access control policy
• User (de)registration
Special attention to
• PIMS: identity management
• PIMS EXPLICIT:
• DO NOT RE-USE user IDs
PIMS 6.6 / ISMS A9 (Access ctrl.) Implementer

43. Contains
• Crypto policy
• Special attention to PII treatment
Special attention to
• Subject information about crypto in
• Website, HR, registration systems, storage, backup, …
• Disposal of data !
• Evolution of technology in crypto!
PIMS 6.7 / ISMS A10 (Crypto) General

44. Must have
• Physical security
• Security perimeters
• Layered security
Special attention to
• Core protection, starts with physical
• Layered security like
• Street, outside, perimeter,
• public zone, internal zone, restricted zone, high protection core, …
• Define : “who can do what and where (and when)”
PIMS 6.8 / ISMS A11 (Physicl Sec.) Implementer

45. Special attention to (See previous sessions on PIMS)
• Backup
• Event logging
• Log protection
PIMS 6.9 / ISMS A12 (Operations) Implementer
Do what you say,
say what you do, …
… and prove it

46. Make sure to have
• Information transfer policy
• Vendor / 3rd party / Data processor policy
Special attention to
• Vendor/processor
• Confidentiality
• NDA
• Incident reporting & feedback
PIMS 6.10 / ISMS A13 (Comm.) General

47. Contains
• Development policies
• SW acquisition requirements
Special attention to
• Own responsibility
• Vendor/processor responsibility
• Sec/DP/Privacy by design
• Sec/DP/privacy by default
PIMS explicit: no PII for testing purposes!
PIMS 6.11 / ISMS A14 (Build or buy) Implement

48. Important
• Compensate for lack of physical control
• Legal control
• PIMS : High risk!
Special attention to
• Policy
• Contracts
• Expert legal support
• Right to audit!
PIMS 6.12 / ISMS A15 (Supplier) Implementer

49. Important
• Incident register
• Incident = failure of system (opportunity for improvement)
• PIMS : High risk for data breaches!
Special attention to
• Policy
• Tracking & improvement
• Escalation tracks
• Exercise, exercise!
PIMS 6.13 / ISMS A16 (Incident) Implementer

50. Important
• Maintaining data protection & privacy during disaster
• BCM vs DRP
Special attention to
• Exercise
• Testing
• Vendors
PIMS 6.14 / ISMS A17 (BCM) Implementer

51. Pay attention to
• Legislation
• Contract obligations
• Company responsibility (protect yourself)
• Subject rights
Evidence
• Anything we discussed today…
PIMS 6.15 / ISMS A18 (Compliance) General

52. The audit view of ISO27701
Focus on evidence

53. Interested parties
• ISMS: documentation on business model, mission, vision, …
• PIMS: ISMS documentation, privacy notices, .. Type of community
What evidence to find?
• Mission/Vision
• Community
• Business model, processes, type of data
• Talking to business & customer dept.
PIMS 5.2 / ISMS 4 (Context) Auditor

54. Interested parties
• ISMS: documentation on business model, mission, vision, …
• PIMS: ISMS documentation, privacy notices, .. Type of community
How to audit?
• Management meetings, agenda, notes, …
• Decisions taken
• Communication
• Approvals & signature of policies, …
PIMS 5.3 / ISMS 5 (Leadership) Auditor

55. Look for
• ISMS = Risk management
• PIMS = Risk management + PIA/DPIA
Evidence
• Risk sources: incident register, incident reporting,
• Track solution of incident
• Data breach reporting (confirmed incidents)
• Risk register (setup, up to date, ownership, RACI, …)
PIMS 5.4 / ISMS 6 (Planning) Auditor

56. ISMS = PIMS
• Check for management support
• Check for education plan
• Check for awareness
Evidence
• Interview
• Management planning
• Education, awareness & communication
PIMS 5.5 / ISMS 7 (Support) Auditor

57. PIMS 5.6/5.7/5.8 = ISMS 8/9/10
• Operations
• Performance
• Improvement
Evidence
• Operations: processed, procedures, … on the floor
• Performance: Find the metrics
• Improvement: internal audit, new projects, updates, …
Other clauses Auditor

58. To check
• Policies
• SOA
Evidence
• Setup policies / documentation
• Approval of policies
• Execution policies
• Updates
PIMS 6.2 / ISMS A5 Auditor

59. Check for
• organigram
• Company organisation
• RACI
• Segregation of duties
Evidence
• Roles & responsibilities description
• Function description incl. ISMS/PIMS tasks
• People IN/OUT
PIMS 6.3 / ISMS A6 Auditor

60. Info
• PIMS: privacy & data protection in
• contracting
• awareness.
Special attention to
• Reference of data protection in contracting
• People are laze (maintain awareness)
• Training
IMPORTANT: everyone must be onboard to protect personal data!
PIMS 6.4 / ISMS A7 (HR) General

61. Pay attention to
• HR IN/OUT vs. IT IN/OUT
Evidence
• HR
• IT security
• Privileged account management
• General accounts
• In/out events
• Regular reviews (x times /yr)
PIMS 6.6 / ISMS A9 (Access ctrl.) Auditor

62. Contains
• Crypto policy
• Special attention to PII treatment
Special attention to
• Subject information about crypto in
• Website, HR, registration systems, storage, backup, …
• Disposal of data !
PIMS 6.7 / ISMS A10 (Crypto) General

63. Pay attention to
• Building
• Locations
• Entry,
• Zones
• Equipment, cabling,
• 3rd party (!)
Evidence
• On site visit
PIMS 6.8 / ISMS A11 (Physical) Auditor

64. Pay attention to
• Tracing of ISMS/PIMS on the floor
• People
Evidence
• Logs
• Processes & procedures
• Time stamps
• Ownership
• Meeting minutes
• Documentation
• ….
PIMS 6.9 / ISMS A12 (Operations) Auditor

65. Make sure to have
• Information transfer policy
• Vendor / 3rd party / Data processor policy
Special attention to
• Vendor/processor
• Confidentiality
• NDA
• Incident reporting & feedback
PIMS 6.10 / ISMS A13 (Communic.) General

66. Pay attention to
• PIMS Annex A.7.4 (controller)
• PIMS Annex B.8.4 (processor)
Evidence
• Agreements
• Acquisition procedures
• Development policies & processes
PIMS 6.11 / ISMS A14 (Build or buy) Auditor

67. Pay attention to
• Supplier policies
• Vendor relations
• Vendor contracts
Evidence
• Vendor negotiations
• Vendor contracts
• Vendor audits
• 3rd party audit reports
• Vendor tracking/invoicing
• Vendor management updates
PIMS 6.12 / ISMS A15 (Supplier) Auditor

68. Pay attention to
• Incident management policy
• Incident register
• Data breach register
• Data breach notifications
Evidence
• Policy meta data (owner, updates, …)
• Incident management procedure
• Data breach reporting
• DPA communications, …
PIMS 6.13 / ISMS A16 (Incident) Auditor

69. Pay attention to
• Maintaining data protection & privacy during disaster
• BCM vs DRP
Evidence
• BCM planning
• DRP plan
• Test plans
• Exercises
• Awareness, training & communication
PIMS 6.14 / ISMS A17 (BCM) Auditor

70. Pay attention to
• Legislation
• Contract obligations
• Company responsibility (protect yourself)
• Subject rights
Evidence
• Anything we discussed today…
PIMS 6.15 / ISMS A18 (Compliance) General

71. And last but not least…
Never done

72. PDCA… Continous improvement
Start over again…
See you at the next cycle…

73. Q & A
Questions & answers

74. Appendix

75. Ramping up…
Relevant PECB Training courses

76. Check the PECB agenda, select the ISO/IEC 27701 Lead
Implementer
https://pecb.com/en/partnerEvent/event_schedule_list
Training Events
For full detailed information about an event click on the ‘View’ button on the right hand
side under ‘View full details’.
Note: Before applying for any training courses listed below, please make sure you are
registered to PECB
Training Agenda

77. Relevant Training
PECB ISO 27701 Foundation
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-foundation
PECB ISO 27701 Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-implementer
PECB ISO 27701 Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-auditor

78. Relevant Training
PECB ISO 27001
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-implementer
Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-auditor

79. Relevant Training
PECB ISO 27002
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002
Lead Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27002/iso-iec-27002-lead-manager

80. Relevant Training
PECB GDPR
https://pecb.com/en/education-and-certification-for-individuals/gdpr
CDPO
https://pecb.com/en/education-and-certification-for-individuals/gdpr/certified-
data-protection-officer

81. Relevant Training
PECB ISO29100
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100-
privacy-implementer
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100-
privacy-implementer/iso-29100-lead-privacy-implementer

82. Relevant Training
PECB ISO27035 - Incident Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
Lead Incident Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
/iso-iec-27035-lead-incident-manager

83. Relevant Training
PECB ISO27005 - Risk Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
Lead Risk Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
/iso-27005-lead-risk-manager

84. ISO/IEC 27701
Training Courses
• ISO/IEC 27701 Foundation
2 Day Course
• ISO/IEC 27701 Lead Implementer
5Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-
27701
www.pecb.com/events

86. THANK YOU
?
info@cyberminute.com CyberMinute
Stefan Mathuvisstefan@qma.be